ZKSync, a protocol for scaling Ethereum with zero-knowledge technology, recently confirmed the recovery of approximately $5 million worth of ZK tokens stolen during a recent breach. The hacker returned the funds within a 72-hour “safe harbor” window offered by the protocol’s Security Council, avoiding further escalation.
The exploit occurred on April 15 and involved the unauthorized minting of approximately 111 million ZK tokens through a compromised admin key. The vulnerability was limited to ZKSync’s airdrop distribution contracts and did not impact the broader protocol infrastructure, ZK token contract, or governance operations.
To prevent lengthy legal proceedings, ZKSync’s Security Council offered a 10% bounty for the return of 90% of the stolen funds. The attacker agreed to the terms, and the assets were successfully transferred back to the Security Council. Governance will now decide on the future handling of the recovered assets.
Despite the incident, ZKSync reassured users that customer funds and core infrastructure remained secure. The protocol’s swift response to the breach and successful recovery of the stolen funds demonstrated its commitment to ensuring the security and integrity of the ecosystem.
The exploit temporarily inflated the ZK token supply and triggered a market reaction, although the price of ZK remained relatively stable following the announcement of the recovery. The incident highlighted the importance of robust smart contract access controls and security measures to prevent unauthorized access and exploitation.
Moving forward, protocol governance will play a crucial role in determining the allocation of the recovered assets and implementing additional security measures to prevent similar incidents in the future. The detailed forensic report on the breach and recovery process will provide valuable insights for enhancing security protocols within the ZKSync ecosystem.
